@ -1,19 +1,24 @@
ARG BASE
ARG BASE
FROM ${BASE}
FROM ${BASE}
ARG BASE
RUN echo "Install openssh, needed for scp."
RUN echo "Install openssh, needed for scp."
RUN apt-get update -y && apt-get install -y openssh-client
RUN if echo " $BASE " | grep "ubuntu:" ; then apt-get update -y && apt-get install -y openssh-client; fi
RUN if echo " $BASE " | grep "alpine:" ; then apk add openssh; fi
RUN groupadd -g 10000 groupone
# Note - on Ubuntu, we do not create the user's home directory, pam_mkhomedir will do that
RUN groupadd -g 10001 grouptwo
# Note - we do not create the user's home directory, pam_mkhomedir will do that
# for us, and we want to test that PAM gets triggered by Tailscale SSH.
# for us, and we want to test that PAM gets triggered by Tailscale SSH.
RUN useradd -g 10000 -G 10001 -u 10002 testuser
RUN if echo " $BASE " | grep "ubuntu:" ; then groupadd -g 10000 groupone && groupadd -g 10001 grouptwo && useradd -g 10000 -G 10001 -u 10002 testuser; fi
# On Alpine, we can't configure pam_mkhomdir, so go ahead and create home directory.
RUN if echo " $BASE " | grep "alpine:" ; then addgroup -g 10000 groupone && addgroup -g 10001 grouptwo && adduser -u 10002 -D testuser && addgroup testuser groupone && addgroup testuser grouptwo; fi
RUN echo "Set up pam_mkhomedir."
RUN if echo " $BASE " | grep "ubuntu:" ; then \
RUN sed -i -e 's/Default: no/Default: yes/g' /usr/share/pam-configs/mkhomedir || echo "might not be ubuntu"
echo "Set up pam_mkhomedir." && \
RUN cat /usr/share/pam-configs/mkhomedir
sed -i -e 's/Default: no/Default: yes/g' /usr/share/pam-configs/mkhomedir && \
RUN pam-auth-update --enable mkhomedir
cat /usr/share/pam-configs/mkhomedir && \
pam-auth-update --enable mkhomedir \
; fi
COPY tailscaled .
COPY tailscaled .
COPY tailssh.test .
COPY tailssh.test .
@ -22,11 +27,11 @@ RUN chmod 755 tailscaled
# RUN echo "First run tests normally."
# RUN echo "First run tests normally."
RUN eval ` ssh-agent -s` && TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding
RUN eval ` ssh-agent -s` && TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding
RUN rm -Rf /home/testuser
RUN if echo " $BASE " | grep "ubuntu:" ; then rm -Rf /home/testuser; fi
RUN TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP
RUN TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP
RUN rm -Rf /home/testuser
RUN if echo " $BASE " | grep "ubuntu:" ; then rm -Rf /home/testuser; fi
RUN TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP
RUN TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP
RUN rm -Rf /home/testuser
RUN if echo " $BASE " | grep "ubuntu:" ; then rm -Rf /home/testuser; fi
RUN TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH
RUN TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH
RUN echo "Then run tests as non-root user testuser and make sure tests still pass."
RUN echo "Then run tests as non-root user testuser and make sure tests still pass."
@ -35,28 +40,31 @@ RUN TAILSCALED_PATH=`pwd`tailscaled eval `su -m testuser -c ssh-agent -s` && su
RUN TAILSCALED_PATH = ` pwd ` tailscaled su -m testuser -c "./tailssh.test -test.v -test.run TestIntegration TestDoDropPrivileges"
RUN TAILSCALED_PATH = ` pwd ` tailscaled su -m testuser -c "./tailssh.test -test.v -test.run TestIntegration TestDoDropPrivileges"
RUN chown root:root /tmp/tailscalessh.log
RUN chown root:root /tmp/tailscalessh.log
RUN echo "Then run tests in a system that's pretending to be SELinux in enforcing mode"
RUN if echo " $BASE " | grep "ubuntu:" ; then \
RUN mv /usr/bin/login /tmp/login_orig
echo "Then run tests in a system that's pretending to be SELinux in enforcing mode" && \
# Remove execute permissions for /usr/bin/login so that it fails.
mv /usr/bin/login /tmp/login_orig && \
# Use nonsense for /usr/bin/login so that it fails.
# Use nonsense for /usr/bin/login so that it fails.
# It's not the same failure mode as in SELinux, but failure is good enough for test.
# It's not the same failure mode as in SELinux, but failure is good enough for test.
RUN echo "adsfasdfasdf" > /usr/bin/login
echo "adsfasdfasdf" > /usr/bin/login && \
RUN chmod 755 /usr/bin/login
chmod 755 /usr/bin/login && \
# Simulate getenforce command
# Simulate getenforce command
RUN printf "#!/bin/bash\necho 'Enforcing'" > /usr/bin/getenforce
printf "#!/bin/bash\necho 'Enforcing'" > /usr/bin/getenforce && \
RUN chmod 755 /usr/bin/getenforce
chmod 755 /usr/bin/getenforce && \
RUN eval ` ssh-agent -s` && TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding
eval ` ssh-agent -s` && TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding && \
RUN TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestIntegration
TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestIntegration && \
RUN mv /tmp/login_orig /usr/bin/login
mv /tmp/login_orig /usr/bin/login && \
RUN rm /usr/bin/getenforce
rm /usr/bin/getenforce \
; fi
RUN echo "Then remove the login command and make sure tests still pass."
RUN echo "Then remove the login command and make sure tests still pass."
RUN rm ` which login`
RUN rm ` which login`
RUN eval ` ssh-agent -s` && TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding
RUN eval ` ssh-agent -s` && TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding
RUN rm -Rf /home/testuser
RUN if echo " $BASE " | grep "ubuntu:" ; then rm -Rf /home/testuser; fi
RUN TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP
RUN TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP
RUN rm -Rf /home/testuser
RUN if echo " $BASE " | grep "ubuntu:" ; then rm -Rf /home/testuser; fi
RUN TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP
RUN TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP
RUN rm -Rf /home/testuser
RUN if echo " $BASE " | grep "ubuntu:" ; then rm -Rf /home/testuser; fi
RUN TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH
RUN TAILSCALED_PATH = ` pwd ` tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH
RUN echo "Then remove the su command and make sure tests still pass."
RUN echo "Then remove the su command and make sure tests still pass."